Home > Articles/Tutorials > E-mail Scams

E-mail Scams

By Robert Spotswood

Introduction

A fool and his money are soon parted. An old saying and yet, still true. Unfortunately, there is no end to the number of criminals waiting to take advantage of this. The criminals will use any means they can, and that includes e-mail. But, if you arm yourself with some knowledge, you are far more likely to keep your money where it belongs – in your wallet.

Stock Market Spam

You either don't have e-mail or must be living under a rock if you haven't seen this type of spam. It takes one of two forms:

The companies touted are typically small, thinly traded stocks, also called penny stocks, which are high risk investments at the best of times. They typically sell for $5 per share or less, and do not trade on any of the major exchanges, making good information about them harder to come by. These stocks are also almost impossible to short.

Several studies have shown that the price does indeed climb about the time you get this e-mail, but don't expect to make any money on it. There spammers have already bought large amounts of the stock before the spam goes out, then dump it on the price spike.

And I do mean spike! Several studies, such as http://papers.ssrn.com/sol3/papers.cfm?abstract_id=920553, have estimated the spammers make about 5-6% on the day the spam is sent when they sell. The stock price crashes within two days, often to even lower than it was to begin with. Any suckers who try to get rich this way typically lose about 5-6% of their investment within those two days. To put this in perspective, historically, the stock market gains, on average, about 11% in an entire year.

Sometimes, although very rare, the company isn't even a real company, but a shell corporation with no real income, or even potential income, set up by the spammers. They get stock for almost nothing, spam, sell, and let the company collapse after they have made their money.

Stock spam is a classic case of pump and dump, and has existed long before e-mail. According to SEC testimony (Securities and Exchange Commission – the stock market regulators in the US), this type of fraud has become a major source of income for organized crime.

If you want to take action against the spammers, you can forward ONE copy of any such e-mail to the SEC (http://www.sec.gov/complaint.shtml) which investigates such crimes, but don't expect a reply other than an auto-reply saying they got your message. Don't complain to the company touted in the spam as rarely are they behind the spam, or even know anything about it beforehand. If fact, the roller coaster of stock price swings has caused some companies to collapse. Needless to say, the companies advertised rarely like the "publicity".

Remember, never invest based on spam. If it really was a good deal, don't you think the spammer would keep such information to himself?

Nigerian 419 Scams

Out of the blue you get an e-mail from someone who sounds desperate. They have millions of dollars they need to move out of a foreign country, often, but not exclusively, Africa or Europe. They need your help and are willing to give you a good percentage of the money as a reward or commission for your help. Welcome to the scam better known as the Nigerian 419.

The usual (alleged) source of the funds, which typically range from $10-50 million are one of the following:

Of course, claiming the large commission for your help isn't going to be simple. You will be asked to sign documents and return them. Then there are taxes, attorney's fees, transaction fees, even bribes to be paid, by you, before the money can be transferred.

Every fee is promised to be the last one, but somehow, something else always comes up. This can go on for months. During the course of these months, you can expect to receive a great many official documents, with stamps, seals, and logos designed to impress. All are forgeries, of course.

While most of the dealing will be done through e-mail or fax, a personal meeting to close the deal is almost always requested. The meeting is always overseas, half the time in Nigeria or a bordering country. Should you be so foolish as to go, you expect your "friends" to use violence, threats of physical harm, and other forms of coercion to convince you to release additional funds to them. Murders are not unknown.

This scam gets the name from a section of the Nigerian penal code. It seems to be popular in Nigeria as well as the Western and Southern regions of Africa for some reason, with one estimate putting 50-55% of the 419 scams coming from there. But as mentioned earlier, it can come from any country, with Spain and the Netherlands also being popular sources. Some originate from Canada and even the US.

This type of scam is fairly easy to recognize. Out of the blue, someone wants to trust you with millions of dollars. It doesn't matter what the reason, does this really happen? No, and that's what gives it away. You can never claim your commission as the money doesn't exist and you can't win lotteries and contests you never entered. Don't be suckered regardless of the sob story told. These people are not your friends.

While the general rule about spam is to never, ever respond to it, for the adventurous, these scams can be an exception. Some people get great joy out of playing with the scammers. It's called scam baiting, and it is designed to waste the scammers time and resources, making it harder to for the scammers to find real victims.

Sites such as www.419baiter.com and www.419eater.com have lots of info and examples on how to go about this safely. The 419eater website even has what they call a trophy room where they post pictures of the 419 scammers the baiters have convinced the scammers to send them. Some even holding embarrassing signs, although be warned, not all the pictures are G-rated.

Phishing

You just got an urgent e-mail message from the security department at your bank or credit card company. There is something wrong with your account and they suspect it has been compromised. You need to login and verify some details, or confirm billing information, in order to avoid having your account suspended. You click on the link and enter your details. Congratulations! You've just handed your information over to criminals.

Phishing is a term used to describe various attacks to try and get sensitive information, including user names, passwords, credit card numbers, and other information about you by tricking you into entering it into a fake website. Usually, contact is made by e-mail, but instant messaging, phone calls, even text messages have been used. Usually the information gathered is used to break into accounts you have, but cross-overs into identity theft are not unknown.

While early phishing attempts where easy to identify by their bad and broken English, poor website design, and most often the fact you don't have a credit card at the bank, the attacks are getting more sophisticated. Now, the English is perfect, the website looks identical to the real thing, and the attacks are targeted.

For instance, around August 2006, AT&T's computers were broken into and accessed personal data from thousands of customers who had just ordered DSL, with one report putting the number at 19,000. This was only the first step in a phishing scam.

Shortly afterwards, those customers got customized phishing messages saying there was a problem with their DSL order and they needed to supply additional information. The messages included a legitimate order number culled from the stolen data, along with the person's actual address and last 4 digits of their credit card number. Some phishing messages will include the first 4 digits of your credit card number to lend credibility because many people don't realize that the first 4 digits for a particular card are always the same.

The website forgeries are getting better too. For some time now phishing kits have been available on the black market. They contain everything you need to set up a phishing run in one easy to use kit. However, most target a specific institution and have static web pages. It is ironic to note that an analysis of many of these kits shows back doors where all the information the phisher gets is also sent to the kit's authors. No honor among thieves.

In January of 2007, the security firm RSA announced the discovery of a new phishing kit more sophisticated than before. This one, available for about $1000 at the time, has a simple interface where the phisher picks the site he wants to impersonate. The tool then creates a web site which actually displays the real website on the web server of the phisher. The tool is so good, you actually do log in to the real website while the tool is silently collecting all the information that passes through. Invalid log in data is discarded, so you can't poison the phisher's database.

So how do you defend yourself from such attacks? Well, first, be suspicious of any e-mail asking you to visit a site and enter additional information. The same goes for IM's, text messages, and phone calls. Also be aware of what they are asking for. In the AT&T DSL case mentioned earlier, one of the things asked for was a social security number. Very few sites require a social security number to use a credit card for instance. Your author knows of only one off the top of his head: www.annualcreditreport.com which is the only official site for US residents to get their annual free credit reports thanks to the 2003 Fair and Accurate Credit Transactions Act.

Never click on a link in an e-mail. It's just too easy to send you to fake website that way. Use a bookmark or Google to visit the site instead. Don't type the address in by hand. Typo squatting is big business and your typing could be influenced by the website given in the e-mail. The website mentioned above, www.annualcreditreport.com is a popular target for typo squatters.

"Look right" names are also used by the phishers. A real bank, Mountain America credit union, was the target of a rather sophisticated phishing attempt. Among other things, the phishing incorporated look-alike domain name. The real web address of Mountain America is www.macu.com, but the phishers used mountain-america and mountainamerica (both .net) to look like the real bank's name. In this case, they even managed to get a SSL certificate from Equifax.

For Windows users, installing and maintaining good anti-virus software is also a must. Malware authors are increasingly including DNS redirectors and hosts file modifiers. These cause your computer to go to the fake websites even if you enter the real web address in your address bar, or use a known, good, bookmark. There are a number of free anti-virus programs out there for home use. Modern browsers, including Firefox 2.0 and higher, IE7, and Opera, all incorporate anti-phishing tools to help thwart the attacks. There are also additional toolbars you can download if you are really paranoid. Some anti-virus software also incorporates anti-phishing technology. In many e-mail programs, you can hover over the link and it will show the address the link goes to.

You can also look into using OpenDNS. This is a free DNS service that can replace your ISP's DNS. Among the features it offers are a phishing filter and typo correction which will either block your attempt to go to the bad site, or automatically re-route you to the correct site.

Unfortunately, the phishing scene is not static. It's an arms race. The attacks will continue to improve over time as new barriers are put in place by the good guys. Your best defense is to always be suspicious. If you want to see if your suspicion level is good or not, here are two sites where you can take phishing tests: http://survey.mailfrontier.com/survey/quiztest.cgi?themailfrontierphishingiqtest and http://www.sonicwall.com/phishing/. In both cases, you should assume the e-mail is addressed to you and you have an account at site in question. Well, are you suspicious enough???

Money Mule

The money mule scam is the complement to phishing. Now that the criminals have your info, how do they convert it into cash or goods and get it into their hands without leaving a trail that could lead the authorities right to them? The answer: Hire some money mules.

The scam works like this: You get an e-mail, sometimes find an ad in the paper, or at an on-line job site offering you a work-at-home job. The titles range from "money transfer agent" to "re-shipping agent" to "financial manager", even "sales representative". There is no end to the fake titles offered. You can work from home and there are no up-front fees or sales involved. All you have to do is be over a certain age and have a bank account.

It seems the foreign company is having trouble getting payments from your country and need an intermediary to help smooth things along. Sometimes the excuse is delays in processing payments, or the local banks don't accept checks and wire transfers from your country. Sometimes the claim is the laws require a local representative.

Regardless of the excuse, they will typically ask for your bank account information, or in the case of PayPal ask that you add an e-mail address to your account. They will then transfer money into your account and ask that you then withdraw it and send all it, minus your commission which is typically around 10%, by Western Union or Moneygram to someone in another country. Sometimes you will be sent checks or money orders to deposit instead.

The only problem is the money they send you is stolen. Any checks or money orders are either stolen or forgeries. Congratulations, you've just become a money mule. It won't take long for your bank to realize it either. And the best part is the paper trail for the authorities to follow leads right to you, not to the criminals.

At best, your bank will make YOU repay the stolen money, all of it. They won't care about you not knowing it was stolen. Instead of making money, you lose money. Your accounts can also be frozen and money seized to repay the victims. Don't want to pay? – well, money laundering is a felony. The bank is free to press charges, plus sue you in civil court and mess with your credit record. Meanwhile, the company that hired you is long gone, along with the money you are now stuck with repaying.

One variation of this theme is instead of money, the criminals buy goods with the stolen information, easily re-sellable goods, and have them shipped to you. You then re-ship them to the criminals. The address you send the goods to is just a mail drop and not the criminal's actual address. Meanwhile the credit card companies and postal inspectors can find you very easily.

Another, more rare, variation on this is you are selling something, and someone offers to buy it. Only instead of sending you money, they tell you someone else owes them more than the asking price, so to make things easier, the buyer will have the seller send you a money order, wire transfer, or check for you to cash, and just ship the item being sold and the leftover money to them. You can probably guess by now the money order or check is either a fake or stolen, and your bank is going to get its money back from YOU.

Avoiding these scams is easy once you recognize the some of the warning signs:

The last point bears a little more explanation. The companies that are supposedly hiring you are sometimes real companies, but have had their identities stolen to lead more credibility to the job offer. The scammers copy the website of the real company, and just change the contact information and use a similar, reasonable sounding domain name. This way your research on the company shows that it's a legitimate company.

Sometimes they are just fake companies. But either way, the domain name is usually registered only a few days before the scammers start blasting out the job offers. A domain name less than a month old is a great big red warning flag! An older domain name is no guarantee the site is legitimate though.

To check the registered date for a domain, look for a whois tool (there are no spaces between who and is) and check the domain name creation date. Google can help you find an on-line version of this tool if your operating system does not come with such a tool.

Remember, no matter how tempting the offer may seem, it is a scam and you are going to get burned. The criminals regard their mules as expendable and don't care what happens to them. The criminals know full well the mules will be caught fairly quickly, but so long as the criminals remain safe and anonymous, they can just recruit new ones.

Conclusion

If you're in the US, you can report Internet fraud at the IC3 website, a joint venture of the FBI and the non-profit National White Collar Crime Center, serves as a central federal clearinghouse for all reports of Internet crime. To log a complaint, just go to the IC3 website (http://www.ic3.gov), click on "File a Complaint", type in the details, and hit "next." Review your information and click on "submit" when you are ready to send. The folks at IC3 will take it from there.

While only four of the more common scams have been covered here, they should at least help you develop a healthy sense of paranoia and caution. But don't think these are the only scams out there. One thing you have to admire about the criminals and scammers is their creativity. There is no end to what they can come up with. Just remember the old saying, "If it sounds too good to be true, it probably is."